Quick Links
Advertise with Sarbanes Oxley Compliance Journal
Features


< Back

Sarbanes Oxley : Technology : Storage

A Storage Management Perspective on Sarbanes Oxley


Ensure that, as additional storage is added, new data continues to be managed in accordance with SOX policies is an ongoing activity.

By James Damoulakis
James Damoulakis
GlassHouse Technologies
GlassHouse Technologies
Mention storage in the same breath as Sarbanes Oxley and the immediate reaction of senior management might be to hide the checkbook. Invariably a vendor is making a pitch on how the latest, and greatest, WORM-enabled, opto-magnetic, network replicated gizmo is going to solve all of their problems. SOX has become the latest in a line of vehicles to which vendors have hitched their wagons in order to sell more gear (remember the Y2K buying frenzy?). The sad truth of the matter is that you could have the greatest technology in the world and still miserably fail a compliance audit.

The storage manager?s dilemma

Don?t get me wrong ? vendors are not solely to blame. To quote that great American philosopher Pogo, ?We have met the enemy and he is us.? Many organizations procrastinated before giving serious consideration to SOX, particularly to Section 404?s compliance requirements, and now are scrambling at the last minute to address these issues. Of course, the IT organization ends up bearing the brunt of this and, to a large extent, is unprepared to deal with it. Kept largely in the dark as finance, legal, and compliance departments met with consultants and formulated policies, it is now expected that IT will come through, in the 11th hour, with a miracle to somehow implement systems to meet the regulation?s directives. The instinctive reaction within IT may be to pick up the phone and call their vendors to see if anyone has a Sarbanes Oxley solution to sell. And they do ? sort of.

Within the IT infrastructure organization much of the burden of SOX is borne by the storage management group, which is responsible for data protection and recovery. Unfortunately, in many environments storage management is hamstrung by a lack of visibility into the requirements of SOX. This is symptomatic of a larger scale problem: lack of visibility into the value of data that IT manages. Most data these days is stored on disks, backed up, and sometimes even replicated. Too often, from a storage management perspective it is treated in the same manner regardless of importance or value. Data often has not been classified to differentiate high value data from low value data. And certainly, the storage manager has no idea of what data is SOX-critical. When given a directive to manage SOX data, in desperation, they turn to their vendors.

The vendors then offer technology components that could potentially be incorporated into a solution to a data retention problem. These include primary, secondary, and tertiary storage systems, robotic tape libraries with WORM tape technology, associated networking components, and software to manage all of these devices. Unfortunately, vendors typically cannot sell storage managers what they really need: a set of management and operational processes that can demonstrably ensure internal storage infrastructure controls are compliant with the specifics of the auditing framework being followed within the environment.

Storage and Section 404

Why the emphasis on process? This past November, Section 404 of the Sarbanes Oxley Act went into effect. Among other things, it requires a company to file an internal control statement with its annual report that includes ?an assessment, as of the end of the most recent fiscal year ? of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.? Essentially, the government is demanding not just that the data be retained, but that companies provide some evidence that they are managing and protecting this information in an appropriate way that ensures compliance - i.e. show us some proof!

While the primary IT-specific impact of Section 404 falls on those groups responsible for financial applications, the IT infrastructure, particularly storage and data protection, is also feeling the effect. At a minimum, storage groups must identify and document processes and establish reporting capabilities to demonstrate that storage management policies and processes are in compliance. From a regulatory perspective, storage-specific activities fall under the category of ?general controls?, activities that support applications and ensure that systems are reliable and data is protected.

What aspects of storage management must be considered and what needs to be done? Specific areas include:

• Data protection, including data security and the management of backup/restore operations

• Data availability, including policies related to the access to and retrievability of data, both current and from archival sources

• Data recovery, including the ability to recover data in the event of a disaster

Activities in each of these areas include:

• Ensuring that policies exist, are documented, and blessed by legal and compliance

• Processes are validated against policies to ensure that they support them, that they are documented, and that they are followed

• Reporting processes and tools in place that provide evidence;

• A validation process - testing of controls and the accuracy of reporting information

The Upside of SOX

Many storage organizations perceive working toward SOX compliance as a disruptive task adding unnecessary burden to an overworked staff. This is a likely sign of a poorly prepared organization. In reality, many of the activities associated with SOX compliance are things that already should be done as standard policy in a well-run organization. IT audit frameworks, such as COBIT? (Control Objectives in Information Technology) refer to adherence to ?good practice?, and many organizations have internal goals to meet ?best practice? standards. Much of the basis for a SOX-compliant storage infrastructure is following best practices. Activities such as defining standard operating procedures and providing reporting and metrics to support those procedures is simply good practice. Specific activities, such as data classification and recoverability testing, are essential to meeting critical needs of the business as well as for compliance. In other words, if a storage organization is doing the things that it is supposed to be doing, it will not have an extraordinary difficulty in meeting its SOX demands. And if it is not, then the SOX compliance effort can be viewed as a golden opportunity to fix those problems and have the opportunity to better meet the needs of business users.

Where to start

The first step for storage management is to develop a basic SOX competency. This could come from several places and should consist of understanding the law itself, its impact on the organization, and specifically what it means for storage management.

To ensure understanding of organizational requirements, storage management must rely on the appropriate corporate functions: compliance, risk management, finance, and legal. More challenging is the process of interpreting corporate policies and guidelines and turning them into practices that are actionable by IT. A data retention directive, for example, can be acted upon and implemented in a number of ways. Determining which is most appropriate is not always easy. It is likely to be the responsibility of IT to help identify such issues and to be in a position to recommend appropriate courses of action, further underscoring that IT can add value to the SOX compliance process by working closely with other corporate functions. The combined effort between the policy makers and the technical experts will ensure that the actions taken will best meet the compliance needs of the organization.

In order to be able to add value, one also must be familiar with the guidelines that auditors are likely to be applying, as well as other related IT frameworks and methodologies. Specifically, for SOX initiatives, storage management should become familiar with COSO and COBIT. For further support, general-purpose IT frameworks such as ITIL (IT Infrastructure Library) may be helpful. Unfortunately none of these guidelines or frameworks specifically addresses storage management. Therefore, it will be necessary to translate policies and directives from business to IT to storage. Let?s look at how this might be done.

COSO provides the necessary high-level guidelines for establishing sound corporate governance. The areas of focus defined by COSO include:

• Control Environment: the so-called ?tone at the top?, detailing specific corporate standard and objectives

• Risk Assessment: specifies the relevant areas of concern that must be addressed by governance policies and practices

• Control Activities: identify the corporate policies, practices, and procedures needed to meet compliance requirements (and, hopefully, business objectives, as well)

• Information and Communication: details the data required, the frequency of reporting, and the channels of communication required to ensure compliance

• Monitoring: covers the activities required to oversee and evaluate that the entire process is being followed and that it is meeting the intended requirements.

The first level of translation from COSO-specified corporate guidelines to IT activities and areas of focus can be accomplished through the COBIT framework, from the IT Governance Institute. COBIT identifies 34 areas of IT-specific governance and control organized into four domains:

• Plan and Organize

• Acquire and Implement

• Deliver and Support

• Monitor and Evaluate

It should be noted that COBIT is not exclusively focused on compliance. It is designed to provide an auditing framework for sound IT management. Therefore COBIT also addresses cost and efficiency concerns that go beyond the scope of compliance but are very much within the scope of business needs.

Translating to Storage

The next step is to applying COSO and COBIT principles to storage infrastructure by initially assessing how well the storage infrastructure is addressing risk, as well as by examining relevant storage processes and making a determination as to whether they are meeting corporate objectives. To do this requires analyzing storage operational processes, mapping these processes to compliance, governance, and business policies, and determining whether requirements are being met.

Unfortunately, neither COSO nor COBIT discusses storage specifically. Thus a translation layer, typically developed by the storage management group, is needed. . For our clients, GlassHouse Technologies provides this translation through a storage-specific best practices framework called the Storage Management Lifecycle. The SML describes the end-to-end operational activities required to effectively and efficiently manage a storage environment. Figure 1 details the highest-level SML domains, which encompass over 200 activities and focus areas. This framework provides a direct mapping to COSO and COBIT that can serve as a guide for focusing storage activities to appropriately support compliance initiatives. The SML provides a necessary link between storage activities and corporate policies.


Figure 1: The GlassHouse Storage Management Lifecycle(sm)

A reasonable approach to establishing this link is to focus on the COSO Risk Assessment, Control Activities, and Monitoring areas by conducting a risk and process assessment of the storage environment. A minimum list of questions that the assessment must address includes:

• Does the storage organization have documented processes to address critical areas such as data protection, data security, data availability and recovery?

• Are these processes being followed?

• What levels of monitoring and reporting capabilities are in place to provide assurance that critical data is being protected and can be retrieved in accordance to corporate requirements?

Within each of the critical areas, questions should investigate the quality of each of the processes:

• Do backups complete successfully? Are appropriate measures taken to ensure that media is recoverable? Does the organization test application recoverability (in addition to file recoverability)?

• Is there a data archiving process in addition to the daily backup process? Is appropriate meta-data information being retained to enable timely retrievability?

• How effective is the Disaster Recover process? Is ensuring that DR plans are up-to-date considered in the normal change management process? Are regular DR tests performed?

• How secure is data ?at rest?? What processes are in place to ensure that data stored on physical media (disk, tape, or optical) is be protected in accordance with corporate policies?

In our practice, we have adapted the Software Engineering Institute?s Capability Maturity Model (CMM) (see Figure 2) to assess SML processes within storage organizations. Generally, in order to meet compliance requirements an organization must be at a minimum maturity level of three for most activities and at a maturity level of four to meet control point requirements for critical tasks.


Figure 2: Capability Maturity Model

• The assessment produces an analysis detailing which processes are critical to the area under consideration, such as compliance, and specifically identifies the gap between where the organization is today and where it needs to be. The gap analysis then leads to the development of a corrective action plan to address shortcomings in a prioritized fashion that will form the basis for a compliance-readiness roadmap.

• The specific storage-related control points and tasks will depend upon specific guidelines identified by the compliance office, auditors, or other appropriate committee, and may vary based on the selected audit framework. Typical control points related to data protection will focus on areas related to the backup-restore and disaster recovery processes, and may include:

• Media management tracking, including offsite tape handling and inventory

• Backup success reports for SOX-critical applications

• Restore logs

• Disaster recovery planning, including maintenance, review and testing processes

• Disaster recovery application assignment and review process

• Data retention policies and verification process

• Data expiration policies and verification process

Taking Action

From the risk and process assessment, the next step is to take action. In most instances, this means addressing those activities identified as shortcomings in the assessment. This includes developing and documenting standard operating procedures. This is not a trivial activity and will require a significant investment in time from the staff, both with regard to actual development as well as testing, validation and acceptance.

Monitoring and reporting is also a significant challenge. The existing tools and technologies may only provide a subset of the data required, or may be in a form that is difficult to validate from an auditing perspective. For example, most backup applications can report on the success or failure of backup and restore activities, but they typically provide this information from the perspective of individual servers. There is no report detailing the status of a particular application. This mapping of servers to applications is an additional task that needs to be done to determine whether critical SOX-related data is adequately protected.

Finally, the SOX-compliance effort is not a one-time event. Storage environments are highly dynamic. Data growth rates of 50-100% annually are the norm in many organizations. Ensuring that, as additional storage is added, this new data continues to be managed in accordance with SOX policies is an ongoing activity. Strong adherence to and regular review of provisioning, configuration management, and change management activities must become part of the standard operating procedure.

If this effort is approached properly, the outcome will be more than just an infrastructure that can pass an auditing team?s inspection. It will result in a storage organization that is better able to respond to users because data value is understood, and a storage organization that is more efficient because it has better documented, more repeatable processes. It will also provide a methodology for focusing technology investments specifically where they are needed and can be justified in terms the business can appreciate.

Compliance is not only the right thing to do, it?s good for you too.

Jim Damoulakis is CTO of GlassHouse Technologies, the leading independent provider of storage services. He can be reached at jimd@glasshouse.com



James Damoulakis
GlassHouse Technologies
GlassHouse Technologies
 James Damoulakis Chief Technology Officer GlassHouse Technologies, Inc.
Contact jimd@glasshouse.com

Jim Damoulakis is CTO at GlassHouse Technologies. Jim brings 20 years of experience in systems, storage, backup/recovery, and DR, with a strong focus on architecting and implementing highly available enterprise storage solutions. Jim has spoken on storage issues in a number of venues and is a frequent contributor to key industry publications like Storage Magazine.

Before joining GlassHouse, Jim was Director of Implementation Services at CNT/Articulent in Hopkinton, MA, where he managed a team of senior technical consultants focused on SAN design and implementation, enterprise storage management, backup/recovery, and high availability.

Previously, Jim was Director of Technical Services at Invincible Technologies Corporation, where he was responsible for technical support and professional services around ITC?s highly available, networked attached storage products.

Jim has also held a variety of management and technical positions with Digital Equipment Corporation, FTP Software, NEC Technologies, and Apple Computer.

Jim holds a Bachelors degree from Boston University and a Masters Degree from Northwestern University. He received his MBA from Northeastern University.



About Us Editorial

© 2019 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY